Web Security - DNS over HTTPS

Updated
This article describes the DNS over HTTPS (DoH) functionality available in many browsers and how it affects Mimecast Web Security, and is intended for use by Administrators.

Introduction

DNS over HTTPS (DoH) is a protocol for performing remote DNS resolution via the HTTPS protocol. It aims to increase user privacy and security by preventing eavesdropping and manipulation of DNS data by man-in-the-middle attacks. It does this by using the HTTPS protocol to encrypt the data between the DoH client and the DoH-based DNS resolver.

Certain browsers (e.g., Firefox, Chrome, and Microsoft Edge) support DoH to hide user browsing data from anyone on the network path between the user and the nameserver by encrypting DNS requests. Whilst this measure enhances the privacy of users, it can prevent DNS-based filtering solutions (e.g., Mimecast Web Security) from protecting users from harmful sites or content.

For example:

      • Firefox has a DoH setting enabled by default. Mimecast Web Security customers do not need to take any action regarding this, as we have mitigations in place to disable DoH and continue to enforce acceptable usage policies and protect against web-borne threats. See Configuring Networks to Disable DNS over HTTPS on the Mozilla Support site for further information. 
      • Google has rolled out pro-privacy DNS-over-HTTPS support in Chrome with the release of version 83.  This version enables DoH by default unless they are managed environments with one or more enterprise policies. See A Safer and More Private Browsing Experience with Secure DNS on Google's Chromium blog for further information.

DoH on Windows Devices

To prevent unintentional enablement of DoH via a browser update or end-user action, the Mimecast Security Agent for Windows version 1.7 disables the DoH feature on the following web browsers:

      • Firefox.
      • Chrome.
      • Microsoft Edge.

This is the default setting, ensuring users are protected from web threats and acceptable usage policies can continue to apply.

If the Mimecast Security Agent is uninstalled, the original default browser settings are restored, allowing you to use the DoH feature.

Should the DoH not turn off as expected, please follow the instructions below to turn it off.

Turning Off DoH Disablement on Windows Devices

Although it is not recommended as mentioned in this guide, you can turn the browser's DoH disablement off, even if the Mimecast Security Agent is still on the device. Just download and execute one of the following reg files on the target device.

To execute a reg file, you must have admin privileges.

      • Click here to download the reg file to turn off Mimecast Security Agent DoH disablement.
      • Click here to download the reg file to turn back on Mimecast Security Agent DoH disablement on Firefox, Chrome, and Microsoft Edge browsers.  This is only required if you've previously turned off the DoH disablement and want to re-enable it.

Mac and iOS Devices

We recommend DoH is disabled via a device management solution, such as JAMF or an MDM.

Related to

Was this article helpful?
0 out of 1 found this helpful

Comments

0 comments

Please sign in to leave a comment.